Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Explorer Keeps Redirecting Me


  • This topic is locked This topic is locked
9 replies to this topic

#1 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 15 June 2008 - 09:37 PM

Hi,

Last week I had a Trojan virus which was making my desktop refresh and then losing my icons and taskbar. So far I have removed what I thought was all of it, as I have my desktop back and programs are running fine now. BUT I have noticed now that my system is running slow, I have this "about windows" information loading on startup - but it is not in my startup menu.

But the most pain of all of this is - when I go to google and search a web site, it brings up the list but when I click on this link it goes to another site that I didnt select. I Have to go back again and then click it again to open the site I wanted.

I have ran Hijackthis and this is what it has come up with (along with startuplist)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:27 PM, on 16/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wbem\wmiprvse.exe
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20247A50-2D46-B557-B5E3-03E73B224B90} - C:\WINNT\system32\fozvjhay.dll
O2 - BHO: (no name) - {3AAF41BB-4369-414D-BE03-22864EE4C6F7} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {44BCA5E3-930E-4F21-9CDF-E363233E2242} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Picture It Setup wrapper] E:\setup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ati control panel] atiphexx.exe
O4 - HKLM\..\Run: [mpcdmpif] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKLM\..\Policies\Explorer\Run: [djftShF9ZK] C:\WINNT\system32\winver.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...04YYAU_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {3AA42713-5C1E-48E2-B432-D8BF420DD31D} - http://antivirus-scanonline.com/AntvrsInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137370572062
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202695078359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.gctp.com.au/virtualtours/cabs/svideo3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 13705 bytes


Startup List
Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wbem\wmiprvse.exe
F:\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
SoundMan = SOUNDMAN.EXE
NvMediaCenter = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
ANIWZCS2Service = C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
D-Link AirPlus G = C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
EPSON Stylus Photo R210 Series = C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
QuickTime Task = "C:\Program Files\QuickTime\QTTask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
UStorag = c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
Synchronization Manager = mobsync.exe /logon
Picture It Setup wrapper = E:\setup.exe
NWEReboot =
NeroFilterCheck = C:\WINNT\system32\NeroCheck.exe
ati control panel = atiphexx.exe
mpcdmpif = regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton AntiVirus\osCheck.exe"
SpyHunter Security Suite = C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

ati control panel = atiphexx.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINNT\system32\ctfmon.exe
H/PC Connection Agent = "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
Nokia.PCSync = "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe" /NoDialog
PC Suite Tray = "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe" -onlytray
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINNT\system32\fozvjhay.dll - {20247A50-2D46-B557-B5E3-03E73B224B90}
(no name) - (no file) - {3AAF41BB-4369-414D-BE03-22864EE4C6F7}
WormRadar.com IESiteBlocker.NavFilter - (no file) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
(no name) - (no file) - {44BCA5E3-930E-4F21-9CDF-E363233E2242}
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll - {6D53EC84-6AAE-4787-AEEE-F4628F01010C}
(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
Norton AntiVirus - Run Full System Scan - removed.job

--------------------------------------------------

Enumerating Download Program Files:

[Office Genuine Advantage Validation Tool]
InProcServer32 = C:\WINNT\system32\OGACheckControl.DLL
CODEBASE = http://download.microsoft.com/download/e/7.../OGAControl.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[VerifyGMN Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\hpobjinstaller_gmn.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get/shock...director/sw.cab

[{3AA42713-5C1E-48E2-B432-D8BF420DD31D}]
CODEBASE = http://antivirus-scanonline.com/AntvrsInstall.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINNT\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab

[Snapfish Activia]
InProcServer32 = C:\WINNT\Downloaded Program Files\SnapfishActivia1000.ocx
CODEBASE = http://www4.snapfish.com.au/SnapfishActivia.cab

[EPUImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab

[WUWebControl Class]
InProcServer32 = C:\WINNT\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1137370572062

[HpProductDetection Class]
InProcServer32 = C:\Program Files\HP\Common\HPDeviceDetection.dll
CODEBASE = http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

[MUWebControl Class]
InProcServer32 = C:\WINNT\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftu...b?1202695078359

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7903.9162268518

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

[Surround Video V3.0 Control Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\SVIDEO30.ocx
CODEBASE = http://www.gctp.com.au/virtualtours/cabs/svideo3.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: C:\WINNT\system32\stobject.dll
PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WPDShServiceObj: C:\WINNT\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

djftShF9ZK = C:\WINNT\system32\winver.exe

--------------------------------------------------

End of report, 10,812 bytes
Report generated in 0.188 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


I have no idea which ones are the ones I need to take off let alone if I am doing this right - I have never use Hijackthis. I would really appreciate anyone helps on this - My system is my life work doing computer graphics and with this happening I am ready to throw it out the window.

Thank You

Edited by Orange Blossom, 14 February 2010 - 10:11 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2008 - 06:58 AM

Hi and Welcome to the forums.

Follow the link below to dowload,install and run SDFix in SafeMode
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

After it finishes,post that log and then,Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 17 June 2008 - 05:15 PM

Hi and thank you for taking the time to help me.

Please find below the results after running SDFix.

SDFix: Version 1.194
Run by removed on Wed 18/06/2008 at 07:44 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\a.bat - Deleted
C:\WINNT\system32\TFTP1164 - Deleted
C:\WINNT\system32\TFTP1288 - Deleted
C:\WINNT\system32\TFTP1456 - Deleted
C:\WINNT\system32\TFTP1780 - Deleted
C:\WINNT\system32\TFTP2396 - Deleted
C:\WINNT\system32\TFTP2700 - Deleted
C:\WINNT\system32\TFTP2824 - Deleted
C:\WINNT\system32\TFTP2956 - Deleted
C:\WINNT\system32\TFTP3780 - Deleted
C:\WINNT\system32\TFTP4004 - Deleted
C:\WINNT\system32\TFTP868 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 07:58:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\ICQ\\Icq.exe"="C:\\Program Files\\ICQ\\Icq.exe:*:Enabled:ICQ"
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe:*:Enabled:iMesh Client for PC platforms"
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE:*:Enabled:Connection Manager"
"C:\\WINNT\\system32\\fxsclnt.exe"="C:\\WINNT\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"="C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE:*:Enabled:ActiveSync Application"
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"="C:\\Program Files\\Telstra\\unpw\\unpwclient.exe:*:Enabled:BigPond Username/Password Tool"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"="C:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE:*:Enabled:Microsoft FrontPage"
"C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe"="C:\\Program Files\\Google\\Google SketchUp 6\\SketchUp.exe:*:Enabled:SketchUp Application"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\MSN BackUp\\MSNBackup.exe"="C:\\Program Files\\MSN BackUp\\MSNBackup.exe:*:Enabled:MSN BackUp"
"C:\\Documents and Settings\\removed\\Local Settings\\Temp\\~osA.tmp\\ossproxy.exe"="C:\\Documents and Settings\\removed\\Local Settings\\Temp\\~osA.tmp\\ossproxy.exe:*:Enabled:ossproxy.exe"
"c:\\winnt\\system32\\pmropn.exe"="c:\\winnt\\system32\\pmropn.exe:*:Enabled:pmropn.exe"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\\WINNT\\system32\\winver.exe"="C:\\WINNT\\system32\\winver.exe:*:Enabled:winver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 14 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 6 Nov 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 17 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 9 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Thu 9 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri 17 Oct 2003 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 17 Oct 2003 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"

Finished!



I am having problems running the Combofix.exe - it comes up with combofix.exe is not a valid win32 application. I will try and download again now and see if I can run it again.

Edited by Orange Blossom, 14 February 2010 - 10:13 PM.


#4 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2008 - 12:42 AM

HI here is the combofix & new HiJackthis reports, as per your request. Again Thank you so much


ComboFix 08-06-16.5 - removed 2008-06-18 8:16:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.546 [GMT 10:00]
Running from: C:\Documents and Settings\removed\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\removed\Application Data\inst.exe
C:\Program Files\windows adstatus
C:\WINNT\assys.dll
C:\WINNT\Downloaded Program Files\setup.inf
C:\WINNT\ffnsys.dll
C:\WINNT\gstcore.dll
C:\WINNT\rsczsys.dll
C:\WINNT\snsys.dll
C:\WINNT\system32\Uxbbcccf.ini
C:\WINNT\system32\Uxbbcccf.ini2
C:\WINNT\system32\waHRtBeg.ini
C:\WINNT\system32\waHRtBeg.ini2
C:\WINNT\uawin.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-18 07:38 . 2008-06-18 07:38 <DIR> d-------- C:\WINNT\ERUNT
2008-06-18 07:37 . 2008-06-18 07:37 <DIR> d-------- C:\SDFix
2008-06-16 12:13 . 2008-06-16 12:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\system32\scripting
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\system32\en
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\l2schemas
2008-06-16 08:36 . 2008-06-16 08:44 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-06-16 08:10 . 2008-04-14 10:12 1,737,856 --------- C:\WINNT\system32\mtxparhd.dll
2008-06-16 08:09 . 2008-04-14 10:11 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2008-06-12 10:46 . 2008-06-12 10:46 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-12 10:46 . 2008-06-12 15:48 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-12 10:44 . 2008-06-12 14:45 <DIR> d-------- C:\Program Files\Symantec
2008-06-12 10:44 . 2008-06-12 14:45 123,952 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-06-12 10:44 . 2008-06-12 14:45 60,800 --a------ C:\WINNT\system32\S32EVNT1.DLL
2008-06-12 10:44 . 2008-06-12 14:45 10,671 --a------ C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-06-12 10:44 . 2008-06-12 14:45 805 --a------ C:\WINNT\system32\drivers\SYMEVENT.INF
2008-06-12 07:03 . 2008-05-09 00:02 203,136 -----c--- C:\WINNT\system32\dllcache\rmcast.sys
2008-06-12 07:02 . 2008-04-14 22:30 272,128 --------- C:\WINNT\system32\drivers\bthport.sys
2008-06-12 07:02 . 2008-04-14 22:30 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-06-11 18:05 . 2008-06-11 18:05 139 --a------ C:\WINNT\system32\winver.bat
2008-06-11 17:14 . 2008-06-11 17:14 <DIR> d-------- C:\VundoFix Backups
2008-06-11 16:08 . 2008-06-11 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-10 16:01 . 2008-06-10 16:01 <DIR> d--h----- C:\BJPrinter
2008-06-10 15:59 . 2008-06-10 15:59 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-06 17:50 . 2008-06-06 08:05 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-06-06 17:49 . 2008-06-16 09:38 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS
2008-06-06 17:49 . 2008-06-06 08:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS
2008-06-06 17:42 . 2008-06-06 12:02 <DIR> d-------- C:\311WINDOWS
2008-06-06 13:56 . 2008-06-06 15:21 <DIR> d--hs---- C:\found.000
2008-06-06 08:16 . 2008-06-06 08:16 <DIR> d-------- C:\Documents and Settings\removed
2008-06-06 08:14 . 2008-06-06 08:14 <DIR> d--hs---- C:\Documents and Settings\NetworkService.NT AUTHORITY
2008-06-06 08:14 . 2008-06-06 08:14 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-06-06 08:07 . 2008-06-06 08:08 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-06-05 12:03 . 2008-06-05 12:03 106,496 --a------ C:\WINNT\system32\fozvjhay.dll
2008-06-05 12:03 . 2008-06-05 12:03 106,496 --a------ C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll
2008-06-05 10:52 . 2007-03-28 20:29 131,944 --a------ C:\WINNT\system32\drivers\symsnap.sys
2008-06-05 10:52 . 2007-03-28 20:49 128,104 --a------ C:\WINNT\system32\drivers\WimFltr.sys
2008-06-05 10:52 . 2007-03-28 20:29 37,864 --a------ C:\WINNT\system32\drivers\v2imount.sys
2008-06-05 10:52 . 2007-03-28 20:23 14,072 --a------ C:\WINNT\system32\drivers\vproeventmonitor.sys
2008-06-05 07:40 . 2008-06-05 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ViceVersa PRO 2
2008-06-05 07:36 . 2008-06-05 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\KLS Soft
2008-06-05 07:09 . 2008-06-05 07:11 <DIR> d-------- C:\Program Files\Siber Systems
2008-06-05 07:09 . 2008-06-05 07:10 <DIR> d-------- C:\Documents and Settings\removed\Application Data\GoodSync
2008-06-05 06:32 . 2008-06-05 07:09 <DIR> d-------- C:\Program Files\RSJ HD Image
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-05-22 17:58 . 2008-02-01 15:17 138,112 --a------ C:\WINNT\system32\drivers\nmwcdnsu.sys
2008-05-22 17:58 . 2008-02-01 15:17 8,320 --a------ C:\WINNT\system32\drivers\nmwcdnsuc.sys
2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 00:12 --------- d-----w C:\Program Files\Google
2008-06-12 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-12 00:56 --------- d-----w C:\Documents and Settings\removed\Application Data\Symantec
2008-06-12 00:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-12 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-11 20:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 06:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-11 06:11 --------- d-----w C:\Documents and Settings\removed\Application Data\SUPERAntiSpyware.com
2008-06-10 06:01 --------- d-----w C:\Documents and Settings\removed\Application Data\AVG7
2008-06-06 05:58 --------- d-----w C:\Documents and Settings\removed\Application Data\dvdcss
2008-06-04 22:53 --------- d-----w C:\Documents and Settings\removed\Application Data\uTorrent
2008-06-04 21:43 --------- d-----w C:\Program Files\ICQ6
2008-05-23 06:23 --------- d-----w C:\Program Files\eMule
2008-05-22 07:57 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-18 21:04 --------- d-----w C:\Documents and Settings\removed\Application Data\Apple Computer
2008-05-18 21:03 --------- d-----w C:\Program Files\iPod
2008-05-14 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-08 14:02 203,136 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-05-07 09:57 --------- d-----w C:\Documents and Settings\removed\Application Data\PC Suite
2008-05-01 20:37 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-30 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-30 20:53 --------- d-----w C:\Program Files\NCH Software
2008-04-30 20:53 --------- d-----w C:\Documents and Settings\removed\Application Data\NCH Swift Sound
2008-04-28 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-28 07:04 0 ---ha-w C:\WINNT\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-28 07:04 0 ---ha-w C:\WINNT\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-28 06:25 --------- d-----w C:\Program Files\Nokia1
2008-04-28 06:25 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-28 06:25 --------- d-----w C:\Documents and Settings\removed\Application Data\Nokia
2008-04-28 06:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-28 06:23 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-28 05:40 --------- d-----w C:\Documents and Settings\removed\Application Data\DataLayer
2008-04-25 22:10 --------- d-----w C:\Documents and Settings\removed\Application Data\LimeWire
2008-04-14 00:12 69,120 ----a-w C:\WINNT\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINNT\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINNT\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINNT\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINNT\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINNT\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINNT\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINNT\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINNT\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINNT\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINNT\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINNT\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINNT\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINNT\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINNT\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINNT\AppPatch\acgenral.dll
2007-11-02 01:18 47,360 ----a-w C:\Documents and Settings\removed\Application Data\pcouffin.sys
2004-08-09 13:30 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-10-15 08:24 148 -c--a-w C:\Program Files\INSTALL.LOG
2003-10-10 03:14 271 -csh--w C:\Program Files\desktop.ini
2003-10-10 03:14 21,952 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20247A50-2D46-B557-B5E3-03E73B224B90}]
2008-06-05 12:03 106496 --a------ C:\WINNT\system32\fozvjhay.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-12 14:47 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-14 10:12 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-11-13 13:39 1289000]
"Nokia.PCSync"="C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINNT\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2003-02-27 16:29 47104 C:\WINNT\SOUNDMAN.EXE]
"NvMediaCenter"="NvMCTray.dll" [2005-02-24 07:32 86016 C:\WINNT\system32\nvmctray.dll]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 09:45 114688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 09:41 163840]
"EPSON Stylus Photo R210 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.exe" [2003-09-11 13:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"UStorag"="c:\program files\u-storage tools\ustorage.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2008-04-14 10:12 143360 C:\WINNT\system32\mobsync.exe]
"Picture It Setup wrapper"="E:\setup.exe" [ ]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 14:53 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2003-06-20 22:00 20752 C:\WINNT\system32\internat.exe]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"ati control panel"="atiphexx.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 10:12 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 22:00 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
winzlo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"msacm.divxa32"= DivXa32.acm
"vidc.yvu9"= C:\WINNT\system32\iyvu9_32.dll
"vidc.CDVC"= cdvccodc.dll
"vids.CDVC"= cdvccodc.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINNT\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
backup=C:\WINNT\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\duhuh]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\WINNT\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 EL910;3Com 3CSOHO100B-TX PCI;C:\WINNT\system32\DRIVERS\EL910N51.sys [2002-05-29 16:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2008-04-14 04:47]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\removed~1\LOCALS~1\Temp\ipaqhpdom\pciinfo.sys []
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINNT\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINNT\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINNT\system32\Drivers\usb2vcom.sys [2005-05-25 11:24]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 22:05]
S3 USTOR;U-Storage Controller;C:\WINNT\system32\DRIVERS\UStork.sys [2004-01-14 18:22]
S4 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 22:07:43 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-12 00:58:19 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - removed.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 08:22:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-06-18 8:33:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 22:33:14

Pre-Run: 15,833,755,648 bytes free
Post-Run: 15,777,288,192 bytes free

280 --- E O F --- 2008-06-11 21:48:53


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:59 PM, on 18/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {20247A50-2D46-B557-B5E3-03E73B224B90} - C:\WINNT\system32\fozvjhay.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Picture It Setup wrapper] E:\setup.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...04YYAU_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {3AA42713-5C1E-48E2-B432-D8BF420DD31D} - http://antivirus-scanonline.com/AntvrsInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.com.au/SnapfishActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1137370572062
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202695078359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.gctp.com.au/virtualtours/cabs/svideo3.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 12370 bytes

Edited by Orange Blossom, 14 February 2010 - 10:15 PM.


#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2008 - 02:10 PM

Copy the text below to notepad and save it to the desktop with the name CFScript

File::
C:\WINNT\system32\fozvjhay.dll
C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20247A50-2D46-B557-B5E3-03E73B224B90}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ati control panel"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]

Once saved,drag CFScript.txt on top of ComboFix.exe and this will launch the tool and begin the script.


Once completed,post the new CombFix log,after posting that log,Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#6 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2008 - 03:59 PM

Here is the results of the New combofix - Just a question I have noticed that in the result it say about Recovery Console not installed. How can I get this back to do have recovery point.

ComboFix 08-06-16.5 - removed 2008-06-19 6:46:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.513 [GMT 10:00]
Running from: C:\Documents and Settings\removed\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\removed\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll
C:\WINNT\system32\fozvjhay.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\mpcdmpif.dll
C:\WINNT\system32\fozvjhay.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-18 07:38 . 2008-06-18 07:38 <DIR> d-------- C:\WINNT\ERUNT
2008-06-18 07:37 . 2008-06-18 07:37 <DIR> d-------- C:\SDFix
2008-06-16 12:13 . 2008-06-16 12:13 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\system32\scripting
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\system32\en
2008-06-16 08:43 . 2008-06-16 08:43 <DIR> d-------- C:\WINNT\l2schemas
2008-06-16 08:36 . 2008-06-16 08:44 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-06-16 08:10 . 2008-04-14 10:12 1,737,856 --------- C:\WINNT\system32\mtxparhd.dll
2008-06-16 08:09 . 2008-04-14 10:11 1,888,992 --------- C:\WINNT\system32\ati3duag.dll
2008-06-12 10:46 . 2008-06-12 10:46 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-06-12 10:46 . 2008-06-12 15:48 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-06-12 10:44 . 2008-06-12 14:45 <DIR> d-------- C:\Program Files\Symantec
2008-06-12 10:44 . 2008-06-12 14:45 123,952 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-06-12 10:44 . 2008-06-12 14:45 60,800 --a------ C:\WINNT\system32\S32EVNT1.DLL
2008-06-12 10:44 . 2008-06-12 14:45 10,671 --a------ C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-06-12 10:44 . 2008-06-12 14:45 805 --a------ C:\WINNT\system32\drivers\SYMEVENT.INF
2008-06-12 07:03 . 2008-05-09 00:02 203,136 -----c--- C:\WINNT\system32\dllcache\rmcast.sys
2008-06-12 07:02 . 2008-04-14 22:30 272,128 --------- C:\WINNT\system32\drivers\bthport.sys
2008-06-12 07:02 . 2008-04-14 22:30 272,128 -----c--- C:\WINNT\system32\dllcache\bthport.sys
2008-06-11 18:05 . 2008-06-11 18:05 139 --a------ C:\WINNT\system32\winver.bat
2008-06-11 17:14 . 2008-06-11 17:14 <DIR> d-------- C:\VundoFix Backups
2008-06-11 16:08 . 2008-06-11 16:08 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-10 16:01 . 2008-06-10 16:01 <DIR> d--h----- C:\BJPrinter
2008-06-10 15:59 . 2008-06-10 15:59 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-06-06 17:50 . 2008-06-06 08:05 <DIR> dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2008-06-06 17:49 . 2008-06-16 09:38 <DIR> d--h----- C:\Documents and Settings\Default User.WINDOWS
2008-06-06 17:49 . 2008-06-06 08:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS
2008-06-06 17:42 . 2008-06-06 12:02 <DIR> d-------- C:\311WINDOWS
2008-06-06 13:56 . 2008-06-06 15:21 <DIR> d--hs---- C:\found.000
2008-06-06 08:16 . 2008-06-06 08:16 <DIR> d-------- C:\Documents and Settings\removed
2008-06-06 08:14 . 2008-06-06 08:14 <DIR> d--hs---- C:\Documents and Settings\NetworkService.NT AUTHORITY
2008-06-06 08:14 . 2008-06-06 08:14 <DIR> d--hs---- C:\Documents and Settings\LocalService.NT AUTHORITY
2008-06-06 08:07 . 2008-06-06 08:08 <DIR> d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2008-06-05 10:52 . 2007-03-28 20:29 131,944 --a------ C:\WINNT\system32\drivers\symsnap.sys
2008-06-05 10:52 . 2007-03-28 20:49 128,104 --a------ C:\WINNT\system32\drivers\WimFltr.sys
2008-06-05 10:52 . 2007-03-28 20:29 37,864 --a------ C:\WINNT\system32\drivers\v2imount.sys
2008-06-05 10:52 . 2007-03-28 20:23 14,072 --a------ C:\WINNT\system32\drivers\vproeventmonitor.sys
2008-06-05 07:40 . 2008-06-05 07:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ViceVersa PRO 2
2008-06-05 07:36 . 2008-06-05 07:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\KLS Soft
2008-06-05 07:09 . 2008-06-05 07:11 <DIR> d-------- C:\Program Files\Siber Systems
2008-06-05 07:09 . 2008-06-05 07:10 <DIR> d-------- C:\Documents and Settings\removed\Application Data\GoodSync
2008-06-05 06:32 . 2008-06-05 07:09 <DIR> d-------- C:\Program Files\RSJ HD Image
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-22 17:58 . 2008-05-22 17:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nokia
2008-05-22 17:58 . 2008-02-01 15:17 138,112 --a------ C:\WINNT\system32\drivers\nmwcdnsu.sys
2008-05-22 17:58 . 2008-02-01 15:17 8,320 --a------ C:\WINNT\system32\drivers\nmwcdnsuc.sys
2008-05-22 17:57 . 2008-05-22 17:57 <DIR> d-------- C:\Program Files\Nokia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 03:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 00:12 --------- d-----w C:\Program Files\Google
2008-06-12 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-12 00:56 --------- d-----w C:\Documents and Settings\removed\Application Data\Symantec
2008-06-12 00:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-06-12 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-11 20:58 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 06:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-11 06:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-11 06:11 --------- d-----w C:\Documents and Settings\removed\Application Data\SUPERAntiSpyware.com
2008-06-10 06:01 --------- d-----w C:\Documents and Settings\removed\Application Data\AVG7
2008-06-06 05:58 --------- d-----w C:\Documents and Settings\removed\Application Data\dvdcss
2008-06-04 22:53 --------- d-----w C:\Documents and Settings\removed\Application Data\uTorrent
2008-06-04 21:43 --------- d-----w C:\Program Files\ICQ6
2008-05-23 06:23 --------- d-----w C:\Program Files\eMule
2008-05-22 07:57 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-22 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-18 21:04 --------- d-----w C:\Documents and Settings\removed\Application Data\Apple Computer
2008-05-18 21:03 --------- d-----w C:\Program Files\iPod
2008-05-14 08:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-08 14:02 203,136 ----a-w C:\WINNT\system32\drivers\rmcast.sys
2008-05-07 09:57 --------- d-----w C:\Documents and Settings\removed\Application Data\PC Suite
2008-05-07 05:12 1,288,192 ----a-w C:\WINNT\system32\quartz.dll
2008-05-01 20:37 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-30 20:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-30 20:53 --------- d-----w C:\Program Files\NCH Software
2008-04-30 20:53 --------- d-----w C:\Documents and Settings\removed\Application Data\NCH Swift Sound
2008-04-28 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-04-28 07:04 0 ---ha-w C:\WINNT\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-28 07:04 0 ---ha-w C:\WINNT\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-28 06:25 --------- d-----w C:\Program Files\Nokia1
2008-04-28 06:25 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-28 06:25 --------- d-----w C:\Documents and Settings\removed\Application Data\Nokia
2008-04-28 06:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-04-28 06:23 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-28 05:40 --------- d-----w C:\Documents and Settings\removed\Application Data\DataLayer
2008-04-25 22:10 --------- d-----w C:\Documents and Settings\removed\Application Data\LimeWire
2008-04-23 04:16 826,368 ----a-w C:\WINNT\system32\wininet.dll
2008-04-21 03:32 712,704 ----a-w C:\WINNT\system32\pmph.dll
2008-04-14 00:25 1,804 ----a-w C:\WINNT\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINNT\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINNT\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINNT\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINNT\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINNT\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINNT\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINNT\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINNT\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINNT\system32\msafd.dll
2008-04-13 19:42 985,088 ----a-w C:\WINNT\system32\setupapi.dll
2008-04-13 19:42 11,264 ----a-w C:\WINNT\system32\spnpinst.exe
2008-04-13 19:41 423,936 ----a-w C:\WINNT\system32\licdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINNT\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINNT\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINNT\system32\watchdog.sys
2008-04-13 18:43 9,728 ------w C:\WINNT\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINNT\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINNT\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINNT\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINNT\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ------w C:\WINNT\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINNT\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINNT\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINNT\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINNT\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINNT\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINNT\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINNT\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINNT\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINNT\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINNT\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINNT\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINNT\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINNT\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINNT\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINNT\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINNT\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINNT\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINNT\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINNT\system32\msimsg.dll
2007-11-02 01:18 47,360 ----a-w C:\Documents and Settings\removed\Application Data\pcouffin.sys
2004-08-09 13:30 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2003-10-15 08:24 148 -c--a-w C:\Program Files\INSTALL.LOG
2003-10-10 03:14 271 -csh--w C:\Program Files\desktop.ini
2003-10-10 03:14 21,952 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-06-18_ 8.32.54.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 22:20:59 2,048 --s-a-w C:\WINNT\bootstat.dat
+ 2008-06-18 20:31:32 2,048 --s-a-w C:\WINNT\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-06-12 14:47 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2008-04-14 10:12 15360]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-11-13 13:39 1289000]
"Nokia.PCSync"="C:\Program Files\Nokia1\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="C:\Program Files\Nokia1\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2005-02-24 07:32 5537792]
"nwiz"="nwiz.exe" [2005-02-24 07:32 1495040 C:\WINNT\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SoundMan"="SOUNDMAN.EXE" [2003-02-27 16:29 47104 C:\WINNT\SOUNDMAN.EXE]
"NvMediaCenter"="NvMCTray.dll" [2005-02-24 07:32 86016 C:\WINNT\system32\nvmctray.dll]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 12:41 196608]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 06:07 69632]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 17:49 49152]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-16 09:45 114688]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 09:41 163840]
"EPSON Stylus Photo R210 Series"="C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I3H2.exe" [2003-09-11 13:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"UStorag"="c:\program files\u-storage tools\ustorage.exe" [ ]
"Synchronization Manager"="mobsync.exe" [2008-04-14 10:12 143360 C:\WINNT\system32\mobsync.exe]
"Picture It Setup wrapper"="E:\setup.exe" [ ]
"NWEReboot"="" []
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 14:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 14:53 714608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [2003-06-20 22:00 20752 C:\WINNT\system32\internat.exe]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 22:00 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
winzlo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"msacm.divxa32"= DivXa32.acm
"vidc.yvu9"= C:\WINNT\system32\iyvu9_32.dll
"vidc.CDVC"= cdvccodc.dll
"vids.CDVC"= cdvccodc.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=C:\WINNT\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Picture Transfer Software.lnk]
backup=C:\WINNT\pss\KODAK Picture Transfer Software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\duhuh]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnappau]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"C:\\Program Files\\Telstra\\unpw\\unpwclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"C:\\WINNT\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 EL910;3Com 3CSOHO100B-TX PCI;C:\WINNT\system32\DRIVERS\EL910N51.sys [2002-05-29 16:54]
R3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2008-04-14 04:47]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\removed~1\LOCALS~1\Temp\ipaqhpdom\pciinfo.sys []
S3 COH_Mon;COH_Mon;C:\WINNT\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINNT\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINNT\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINNT\system32\Drivers\usb2vcom.sys [2005-05-25 11:24]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 22:05]
S3 USTOR;U-Storage Controller;C:\WINNT\system32\DRIVERS\UStork.sys [2004-01-14 18:22]
S4 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 22:07:43 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-12 00:58:19 C:\WINNT\Tasks\Norton AntiVirus - Run Full System Scan - removed.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 06:50:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-19 6:54:27
ComboFix-quarantined-files.txt 2008-06-18 20:53:26
ComboFix2.txt 2008-06-17 22:33:23

Pre-Run: 15,822,385,152 bytes free
Post-Run: 15,814,033,408 bytes free

287 --- E O F --- 2008-06-11 21:48:53

Edited by Orange Blossom, 14 February 2010 - 10:18 PM.


#7 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2008 - 12:44 AM

Here is the results from the F-Secure Scan


Scanning Report
Thursday, June 19, 2008 07:24:51 - 15:40:31
Computer name: removed
Scanning type: Scan system for malware, rootkits
Target: C:\ F:\ H:\


--------------------------------------------------------------------------------

Result: 3 malware found
Tracking Cookie (spyware)
System
W32/Malware (virus)
C:\PROGRAM FILES\OXYGEN\OPM2\LOADER.EXE (Submitted)
C:\PROGRAM FILES\OXYGEN\OPM2\PATCHER.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 68770
System: 4854
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 3
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINNT\SYSTEM32\CONFIG\DEFAULT
C:\WINNT\SYSTEM32\CONFIG\SAM
C:\WINNT\SYSTEM32\CONFIG\SECURITY
C:\WINNT\SYSTEM32\CONFIG\SOFTWARE
C:\WINNT\SYSTEM32\CONFIG\SYSTEM
C:\WINNT\SOFTWAREDISTRIBUTION\EVENTCACHE\{B05B4572-F410-4B01-A892-A992AE74D42C}.BIN
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Blacklight: 1.0.68
F-Secure Hydra: 2.8.8110, 2008-06-18
F-Secure Pegasus: 1.20.0, 2008-04-15
F-Secure AVP: 7.0.171, 2008-06-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

Edited by Orange Blossom, 14 February 2010 - 10:19 PM.


#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2008 - 04:05 AM

What exactly is that Oxegyn program?

For the recovery console installation,its better to read the write up.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
  • Post the contents of the ActiveScan report


#9 Guest_Donnalee.b_*

Guest_Donnalee.b_*

  • Guests
  • OFFLINE
  •  

Posted 19 June 2008 - 07:41 PM

Activescan Results
;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-20 10:37:46
PROTECTIONS: 1
MALWARE: 18
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton AntiVirus 15.0.0.58 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\removed\favorites\health
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 Yes No F:\SDFix.exe[SDFix/apps/Process.exe]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@tribalfusion[2].txt
00160284 Cookie/Findwhat TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@findwhat[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@ad.yieldmanager[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@bs.serving-sys[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\removed\Cookies\removed@overture[2].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No F:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP506\A0191593.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994 Bck/VB.XB removed\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP507\A0191695.EXE
01297189 Trj/Agent.GBF Virus/Trojan No 0 No No H:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP505\A0188483.exe[_LWPro.exe]
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP507\A0191683.sys
02933890 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP500\A0179513.dll
03007865 Dialer.LEL Dialers No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP494\A0174634.dll
03007865 Dialer.LEL Dialers No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP494\A0174635.dll
03007865 Dialer.LEL Dialers No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP494\A0174636.dll
03052664 Adware/Xpantivirus2008 Adware No 0 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP487\A0165955.exe
03054550 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP496\A0178801.dll
03064776 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{E0F9FCD7-AE97-473E-A469-9C123969A807}\RP487\A0165851.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location *P
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description *P
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Edited by Orange Blossom, 14 February 2010 - 10:21 PM.


#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 June 2008 - 12:18 PM

Go ahead and delete this folder--> c:\documents and settings\removed\favorites\health

Click Start--> Run--> Type in combofix /u and click OK to uninstall ComboFix.

Type in cd\ and click OK


Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.
Take the time to look through Add\Remove Programs and get rid of anything you dont use and are sure you can live without and keep all current applications up to date and fully patched.

Secunia has a good check for such things
http://secunia.com/software_inspector/


So,How is the PC running today?

Edited by Orange Blossom, 14 February 2010 - 10:22 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users